A tale of three cities

In the past few weeks, I have been at a VMware partner conference, the RSA security conference, and (this week) the Microsoft Management Summit (MMS) event. This has meant travel to Orlando, San Francisco, and Las Vegas.

It’s been interesting to see what themes or trends are the same across these three events, and which are different. By the way – I’m talking about differences in the conferences – not the cities; the cities are all similar in their love of costumes if nothing else.

Some observations:

Compliance is top of mind.

While the details of what people meant by “compliance” varied a bit, all of these events had a strong theme of compliance.

It’s no mystery that PCI, NERC, and other regulations continue to be a force. One surprise (to me, at least): SOX is still a significant driver / concern for enterprises.

Consolidation is happening in companies, in that they are looking to reduce vendor counts and move to fewer vendors with broader capabilities.

Consolidation is happening in the industry, as big fish are buying smaller vendors. This is happening primarily for two reasons:

Less-viable or struggling vendors can be acquired at bargain prices in this economy.

Growing, prosperous smaller vendors are clearly on to something valuable and can be added to a larger portfolio to expand market share & execution capabilities.

Service-impacting events and breaches are big drivers.

Many people are funding IT projects based on problems they’ve experienced or have seen in other, similar companies. This is no surprise, as they say people buy to move away from pain or toward pleasure and there is plenty of pain in outages & breaches.

This item is related to the first point about compliance, but a subtly different in my view – the difference often being that many audit requirements are more prescriptive and “check box” oriented, whereas protecting yourself from downtime and breaches is more about “posture” and process maturity. Addressing these issues tends to span more operational silos than externally driven compliance from what I’ve seen.

Management is key.

Everyone has a lot of stuff to manage, and everyone wants to get the most out of it with the least thrash and effort. This is pushing re-evaluations of management tools (whether for Ops or Security) everywhere.

People are moving from brute force or “one off” approaches to policy-based management schemes, which are essential for consistency and scalability. Policy- or standards-based approaches also insulate you somewhat from staff turnover because they make it more likely you can find someone who can step in and take over when knowledgeable staff exits the business.

Philosophy on Physical vs. Virtual vs. Hybrid

VMware is very focused on their own virtual platform, while Microsoft (once very homogeneous) is starting to embrace other OS’s, supports non-Microsoft virtualization platforms, and focusing on support for mixed physical & virtual environments.

Security vendors are having to choose carefully – some are developing for single virtualization vendors, others are still rooted in physical, and others are seeking to conquer both aspects. This is making the landscape very crowded, a bit confusing, and may (in the short term) increase the cost & effort of securing.

Clouds, clouds, everywhere

Security vendors are pushing more and more SaaS-based security tools, as well as hybrid approaches that involve cloud-based management & monitoring of locally deployed agents.

VMware has announced its “Cloud Operating System” approach, while Microsoft is increasingly offering cloud-based implementation of its products for desktops, servers, and management (like System Center Online which looks pretty interesting). This will create FUD in the short term, but I believe it will decrease operating costs and make it easier for enterprises to achieve more consistency of practice (particularly those who are distributed or grow through acquisition).

Clouds will create complexity in compliance, as they will make it easier to inadvertently create compliance problems (such as an offshore provider accessing US or European personnel information or personal health/financial information, which could violate the law).

To net it out, there is a lot going on – some converging, some diverging. Choosing from different solutions to the same problems is what our jobs as business and IT practitioners are about. That’s why we get paid the industry-adjusted, median bucks.

What about you? What are you seeing? Does what I’ve observed resonate or rankle you? Would love to hear your thoughts.